Connecting to a private LAN host over the internet via SSH.

If you’ve ever worked within Unix or Linux based networks you no doubt would have come across a need to access a server on a LAN or Private network via an intermediate host connected to the internet. Copying files is especially arduous.

There are a few different ways of achieveing this. I want to share a couple that I reguarly use.

Method 1: Direct SSH

source.host~$ ssh -A www.example.com
www.example.com~$ ssh target.lan

This is a simple two command connection, the first command connects you to the server at www.example.com then the second command (run on the server listening at www.example.com) will connect you to the target.lan host. The -A flag specifys Agent forwarding which if you are using Public/Private key pairs you won't be prompted for server passwords.

Pros:

No additional config

Cons:

Two commands

Can't SCP files directly

Method 2: Chained SSH

source.host~$ ssh -At www.example.com ssh target.lan

This will log you into the target.lan server. Again, the -A flag is used to specify Agent Forwarding. The -t flag forces pseudo-tty allocation. Essentially this means that the connection doesn't close right away after running the second ssh command.

Pros:

No additional config

Single command

Cons:

Can't SCP files directly

Method 3: ProxyCommand

This is by far my preferred method, however it has a few minor prerequisites. First up ensure that netcat (nc) is installed on the intermediate host (www.example.com). If it's running a recent distro you'll more than likely have it already installed, if not check your repos. Secondly we need to create a ~/.ssh/config entry. Lets do that now. Open ~/.ssh/config in your editor of choice, you'll need to add a record like so:

Save that file (replacing the example hosts and usernames with your own). The magical part here is the ProxyCommand line. With ssh_config we can use ProxyCommand to specify a command to connect to the server, all occurances of %h will be replaced with the target hostname host name and %p with target port. When used in conjuction with netcat the ProxyCommand config parameter can be very powerful.

You should now be able to execute the following.

source.host~$ ssh target.lan

This should give you direct ssh access to the internal server. What's great about this method is that you can use other tools that utilize OpenSSH for connections, for example.

source.host~$ scp -r ./local_dir target.lan:~

Will recursively copy the local_dir folder to the remote lan host. Cool huh?

Pros:

Single command

Directly SCP files

Cons:

Additional config

Requires netcat on intermediate server

Note: I put netcat down as a con, but realistically most (if not all) GNU based boxes will have this installed.

So there you have it, some simple SSH commands that may make your life easier. Don't forget to check out the man pages for ssh_config and nc for more details.